Metadata classification

ABSTRACT

Systems and method are disclosed that retrieve data from a data set organized in a plurality of columns. For each column in the plurality of columns, the systems and method generate one or more candidate semantic categories for the column, where each of the one or more candidate semantic categories has a corresponding probability. The systems and method create a feature vector for the column from the one or more candidate semantic categories and the corresponding probabilities. The systems and method determine a semantic category type of the column based on the feature vector. The systems and method anonymize the data in the column based on the semantic category type, which includes replacing more specific data in the column with less specific data based on a data hierarchy that relates the more specific data to the less specific data.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.17/163,156, filed on Jan. 29, 2021, which is incorporated herein byreference in its entirety.

TECHNICAL FIELD

The present disclosure relates to data processing and, in particular, toclassifying metadata for columnar data.

BACKGROUND

Customers want to understand their data and would like to have theability to automatically classify columns. Classification not only givescustomers an understanding of their data but also enables them to use avariety of data governance and data privacy tools. This will become moreimportant as more privacy regulations become law around the world. Aspart of those regulations it is imperative for customers to understandwhat personal data they have, where it is, how long they have had it,and how to protect it while still deriving insights. Classification isan important first step. In addition, classification can be used ingovernance, access control and policy management, personallyidentifiable information, and anonymization.

BRIEF DESCRIPTION OF THE DRAWINGS

The described embodiments and the advantages thereof may best beunderstood by reference to the following description taken inconjunction with the accompanying drawings. These drawings in no waylimit any changes in form and detail that may be made to the describedembodiments by one skilled in the art without departing from the spiritand scope of the described embodiments.

FIG. 1 is a block diagram depicting an example computing environment inwhich the methods disclosed herein may be implemented.

FIG. 2 is a schematic block diagram of one embodiment of aclassification and anonymization operation.

FIG. 3 is a schematic block diagram of one embodiment of aclassification operation of an input table to produce an output table.

FIG. 4 is a flow diagram of one embodiment of a method to perform aclassification and anonymization operation of a data set.

FIG. 5 is a flow diagram of one embodiment of a method to perform aclassification operation of a data set.

FIG. 6 is a flow diagram of one embodiment of a method to perform ananonymization operation of a data set.

FIG. 7 is a schematic block diagram of one embodiment of anonymizing aninput table.

FIG. 8 is a schematic block diagram of one embodiment of creating ananonymizing view for an input table

FIG. 9 is a schematic block diagram of one embodiment of an educationaldata hierarchy.

FIG. 10 is a block diagram of an example computing device that mayperform one or more of the operations described herein, in accordancewith some embodiments.

DETAILED DESCRIPTION

In the described systems and methods, a data storage system utilizes anSQL (Structured Query Language)-based relational database. However,these systems and methods are applicable to any type of database usingany data storage architecture and using any language to store andretrieve data within the database. The systems and methods describedherein further provide a multi-tenant system that supports isolation ofcomputing resources and data between different customers/clients andbetween different users within the same customer/client.

In one embodiment, a cloud computing platform can automatically classifycolumnar data that is part of a data set. Classification can allowcustomers an understanding of their data but also enables them to use avariety of data governance and data privacy tools, which can become moreimportant as more privacy regulations become law around the world. Aspart of those regulations it is imperative for customers to understandwhat personal data they have, where it is, how long they have had it,and how to protect it while still deriving insights. Classification isan important first step. In addition, classification can be used ingovernance, access control and policy management, personallyidentifiable information, and anonymization.

In this embodiment, the cloud computing platform retrieves data from adata set, where the data is columnar data or can be extracted ortransformed into columnar data. The cloud computing platform furtherdetermines one or more semantic categories for each of the columnsassociated with the data. The semantic categories can be generated byexamining the data using a variety of schemes to determine the one ormore semantic categories. For example, and in one embodiment, the cloudcomputing platform can apply whitelist and/or blacklist bloom filters,use a lookup table, and/or apply a range or a range and pattern.Different bloom filters or other schemes can be applied to the samecolumn to generate multiple different candidate semantic categories fora single column.

In addition, the cloud computing platform can determine a probabilityfor each of the candidate semantic categories. In one embodiment, theprobability represents a possibility that the column data fits theassociated semantic category. The cloud computing platform furtherdetermines a column semantic category using the probabilities of thecandidate semantic categories and a threshold. With the column semanticcategory determined for each column in the data set, the cloud computingplatform assigns a privacy category to the data set columns.Furthermore, the cloud computing platform can anonymize the data usingthe privacy categorizations of the data set.

FIG. 1 is a block diagram of an example computing environment 100 inwhich the systems and methods disclosed herein may be implemented. Inparticular, a cloud computing platform 110 may be implemented, such asAMAZON WEB SERVICES™ (AWS), MICROSOFT AZURE™, GOOGLE CLOUD™ or GOOGLECLOUD PLATFORM™, or the like. As known in the art, a cloud computingplatform 110 provides computing resources and storage resources that maybe acquired (purchased) or leased and configured to execute applicationsand store data.

The cloud computing platform 110 may host a cloud computing service 112that facilitates storage of data on the cloud computing platform 110(e.g. data management and access) and analysis functions (e.g., SQLqueries, analysis), as well as other computation capabilities (e.g.,secure data sharing between users of the cloud computing platform 110).The cloud computing platform 110 may include a three-tier architecture:data storage 140, query processing 130, and cloud services 120.

Data storage 140 may facilitate the storing of data on the cloudcomputing platform 110 in one or more cloud databases 141. Data storage140 may use a storage service such as AMAZON S3 to store data and queryresults on the cloud computing platform 110. In particular embodiments,to load data into the cloud computing platform 110, data tables may behorizontally partitioned into large, immutable files which may beanalogous to blocks or pages in a traditional database system. Withineach file, the values of each attribute or column are grouped togetherand compressed using a scheme sometimes referred to as hybrid columnar.Each table has a header which, among other metadata, contains theoffsets of each column within the file.

In addition to storing table data, data storage 140 facilitates thestorage of temp data generated by query operations (e.g., joins), aswell as the data contained in large query results. This may allow thesystem to compute large queries without out-of-memory or out-of-diskerrors. Storing query results this way may simplify query processing asit removes the need for server-side cursors found in traditionaldatabase systems.

Query processing 130 may handle query execution within elastic clustersof virtual machines, referred to herein as virtual warehouses or datawarehouses. Thus, query processing 130 may include one or more virtualwarehouses 131, which may also be referred to herein as data warehouses.The virtual warehouses 131 may be one or more virtual machines operatingon the cloud computing platform 110. The virtual warehouses 131 may becompute resources that may be created, destroyed, or resized at anypoint, on demand. This functionality may create an “elastic” virtualwarehouse that expands, contracts, or shuts down according to the user'sneeds. Expanding a virtual warehouse involves generating one or morecompute nodes 132 to a virtual warehouse 131. Contracting a virtualwarehouse involves removing one or more compute nodes 132 from a virtualwarehouse 131. More compute nodes 132 may lead to faster compute times.For example, a data load which takes fifteen hours on a system with fournodes might take only two hours with thirty-two nodes.

Cloud services 120 may be a collection of services that coordinateactivities across the cloud computing service 110. These services tietogether all of the different components of the cloud computing service110 in order to process user requests, from login to query dispatch.Cloud services 120 may operate on compute instances provisioned by thecloud computing service 110 from the cloud computing platform 110. Cloudservices 120 may include a collection of services that manage virtualwarehouses, queries, transactions, data exchanges, and the metadataassociated with such services, such as database schemas, access controlinformation, encryption keys, and usage statistics. Cloud services 120may include, but not be limited to, authentication engine 121,infrastructure manager 122, optimizer 123, exchange manager 124,security 125 engine, and metadata storage 126.

In one embodiment, the cloud computing service 112 can classify a dataset based on the contents of the data in the data set. In thisembodiment, the cloud computing service 112 retrieves data from a dataset, where the data is organized in a plurality of columns. The cloudcomputing service 112 can further generate one or more candidatesemantic categories for each column, where each of the one or morecandidate semantic categories has a corresponding probability. The cloudcomputing service 112 can further create a feature vector for eachcolumn from the one or more column candidate semantic categories and thecorresponding probabilities. Additionally, the cloud computing service112 can also select, for each column, a column semantic category fromthe one or more candidate semantic categories using at least the featurevector and a trained machine learning model.

FIG. 2 is a schematic block diagram of one embodiment of a system 200that performs a classification and anonymization operation on a dataset. In FIG. 2 , system 200 includes a cloud computing platform 204 thatretrieves a data set 202 and classifies and/or anonymizes that data set202 to give a classified and/or anonymized data set 206. In oneembodiment, the data set can be any type of data set stored in columnsor can be converted into columnar data (e.g., JavaScript ObjectNotation, key-value data, and/or other types of stored data). In afurther embodiment, the cloud computing platform 204 is a computingplatform that offers a variety of data processing and/or storageservices, such as cloud computing platform 110 described in FIG. 1above. In another embodiment, the client 206 is a personal computer,laptop, server, tablet, smart phone, and/or another type of device thatcan process data. In this embodiment, the client 206 can request theclassification and/or anonymization of the data set 202. In addition,the client 206 can present intermediate results and allow a user toalter the results. For example, and in one embodiment, the client canpresent semantic categories and/or semantic category types for each ofthe columns of the data set. A user may modify the semantic categoriesand/or the semantic category types for one or more of the columns andthe cloud computing platform 204 can re-classify and/or anonymize thedata set. In one embodiment, the classified and/or anonymized data 208is columnar data, organized using the columns determined by the cloudcomputing platform 204.

FIG. 3 is a schematic block diagram of one embodiment of aclassification operation 300 of an input table 302 to produce an outputtable 306. In FIG. 3 , the input table 302 includes columns 302A-C ofname 308A, age 308B, and “c” 308C. In one embodiment, the column “c”308A includes attribute-value contact data (“contact”, “home”, and“email”) that can be expanded into additional columns. In a furtherembodiment, the classifier 304 classifies the input data based on thecontent of the data in the columns 308A-C. In this embodiment, for eachcolumn, that classifier 304 analyzes the column data and determines oneor more candidate semantic categories for the column data. A semanticcategory is an identifier for the column that describes the data. Theclassifier 304 can generate multiple semantic categories for a singlecolumn as the column data may fit with different semantic categories.For example, and in one embodiment, a column with data describing namesmay also fit a description of street names.

In one embodiment, the classifier 304 classifies the data in columns308A-C from the input table 302 into the output table 306 with columns310A-E. The classifier, in this embodiment, converts a three data columnin the input data into four data columns: “name,” “age,”,“contact:phone” and “contact:email.” The classification output organizesthe data into a different structure of columns so as to organize theclassified data. In this embodiment, column 310A is the column_name forthe output table 306, where the column_name is the original column namein the input table 302. Column 310B is a path for the classified data(e.g., blank for separate column data such as column 308A-B and apathname for the data embedded in column 308C). Column 310C gives aninitial semantic category to the classified data. For example, and inone embodiment, the data with the column name “name” has a semanticcategory “name”, the data with the column name “age” has a semanticcategory “age,” the data with the column name “c” and path“contact:phone” has a semantic category “phone_number,” and the datawith the column name “c” and path “contact:email” has a semanticcategory “email.” In one embodiment, the semantic category for thecolumn data is equivalent to a semantic category.

With the semantic category assigned, a privacy category can be assigned.In one embodiment, the classifier 304 determines a privacy category forthe data based on the semantic category designation. In this embodiment,there are at least four different kinds of privacy categories:identifier, quasi-identifier, sensitive, and other. In anotherembodiment, there can be other types of the privacy categories. In oneembodiment, the privacy categories indicate how the data is to betreated during the anonymizing operation. For example, and in oneembodiment, data having a privacy category of identifier or sensitive issuppressed during the anonymizing operation. Identifier data is datathat can identify a person or thing, such as a name, email or phonenumber. Thus, if identifier data survives the anonymizing operation, theanonymity will be lost. Sensitive data, such as medical results, is atype of data that is not to be revealed for moral or legal reasons.Quasi-identifiers are attributes that may not identify a person or thingby themselves, but can be uniquely identifying an individual incombination. For example, an age, gender, and zip may be able toidentify an individual alone or in combination with other publiclyavailable data. Data with a privacy category of other is nottransformed.

As noted above, the classified data can have more than one possiblesemantic category. In one embodiment, the classifier 304 classifies the“name” as having a semantic category of “name” and also as a semanticcategory as “us_city.” Which semantic category that classifier choses toassign is based on a probability compute by the classifier. In oneembodiment, the probability is a possibility that the computed semanticcategory is correct for the data in that column. In this embodiment,each semantic category computed for a column of data will have acomputed probability. The classifier selects which semantic categorybased on the probability and a threshold. In one embodiment, theclassifier selects the semantic category with the highest probabilitythat is above the threshold. It is possible that the classifier does notselect any semantic category for a particular column. In one embodiment,the threshold is assigned by a user or is a default value. In anotherembodiment, the classifier calculates the threshold using a machinelearning mechanism.

In FIG. 3 , the classifier 304 computes two different semanticcategories for the “name” column: “name” with a probability of 0.9 and“us_city” with a probability of 0.1. In one embodiment, the classifierwould assign the “name” column with a semantic category of “name” basedon the relative priorities. In a further embodiment, a user could reviewthe classifications and manual change the classifications as desired.Classifying the data is further described in FIG. 5 below.

FIG. 4 is a flow diagram of one embodiment of a method 400 to perform aclassification and anonymization operation of a data set. In general,the method 400 may be performed by processing logic that may includehardware (e.g., processing device, circuitry, dedicated logic,programmable logic, microcode, hardware of a device, integrated circuit,etc.), software (e.g., instructions run or executed on a processingdevice), or a combination thereof. For example, the processing logic maybe implemented as the query processing 130. Method 400 may begin at step402, where the processing logic retrieves the data set. In oneembodiment, the data set is columnar data or can be extracted ortransformed into columnar data. At step 404, processing logic mayclassify the data set. In one embodiment, processing logic classifiesthe data set by determining the semantic characteristic of the data inthe data set. In one embodiment, processing logic determines thesemantic characteristics by classifying the data in the data set anddetermining one or more candidate semantic categories (or equivalently,semantic categories) for each of the columns in the dataset. In afurther embodiment, processing logic determines the semantic categoriesby applying a bloom filter, whitelist, and/or blacklist and furtherdetermining a probability for each of the semantic categories.Classification of the data set is further described in FIG. 5 below.

At step 406, processing logic determines an anonymized view of the dataset. In one embodiment, processing logic determines the anonymized viewby using the semantic categories and associated privacy categories toanonymize the data. In this embodiment, processing logic uses privacycategories to determine whether to suppress the individual data,anonymize the individual data, or ignore. Anonymizing the data set isfurther described in FIG. 6 below. Processing logic generates the viewat step 408.

FIG. 5 is a flow diagram of one embodiment of a method 500 to perform aclassification operation of a data set. In general, the method 500 maybe performed by processing logic that may include hardware (e.g.,processing device, circuitry, dedicated logic, programmable logic,microcode, hardware of a device, integrated circuit, etc.), software(e.g., instructions run or executed on a processing device), or acombination thereof. For example, the processing logic may beimplemented as the query processing 130. Method 500 may begin at step502, where the processing logic retrieves the data set. In oneembodiment, the data set is columnar data or data that can be extractedinto column data. For example, and in one embodiment, the data can be amixture of columns and embedded columns as illustrated in the inputtable 302 in FIG. 3 above.

Processing logic performs a processing loop (steps 504-516) to determinea column semantic category. At step 506, processing logic reviews thecolumn name (if available). In one embodiment, processing logic looksfor fragments in the column name to determine whether this column nameis a match to one of the possible semantic categories. In thisembodiment, processing logic uses a match to either boost theprobability that this semantic category is a match or lower a thresholdthat this semantic category is a match. For example, and in oneembodiment, a column name that is “Local Zip Code” matches the semanticcategory “zip code.” In this example, processing logic can boost aprobability by a certain percentage (e.g., 10% or another percentage) ordrop a threshold for a match by a certain percentage (e.g., 10% oranother percentage). Alternatively, a column name that is “Postal C” maynot be a match to one of the semantic categories. In this example,processing logic would not adjust the resulting probability or thresholdfrom this column name. Processing loop checks the cells of the columnsto determine the candidate semantic categories and probabilities at step508. In one embodiment, processing logic applies a variety of differentchecks for the possible semantic categories to determine the candidatesemantic categories and probabilities. If there are ten possiblesemantic categories, processing logic performs each of the possiblechecks for the ten possible semantic categories on the column data.While in one embodiment, there one check for a semantic category, inalternate embodiments, there can be more than one check for the semanticcategory (e.g., different checks for names or addresses based onlanguage or locality). This would result in ten different probabilitiesfor the ten different possible semantic categories for that column. Inthis embodiment, processing logic can apply one or more of the followingto the data in the column: whitelist/blacklist bloom filter, validator,lookup table, range, range/pattern, custom library function, and/oranother type of data checker.

In one embodiment, processing logic applies a bloom filter to the cellsof the column to determine a probability of a match for a semanticcategory. In this embodiment, the bloom filter is specific to aparticular type of semantic category. For example, and in oneembodiment, there can be a bloom filter for first names, last names, zipcode, street address, city, county, or another type of data. The bloomfilter can be populated with example content scraped from various datasources. For example, and in one embodiment, 160k first names or 100klast names scraped from the Internet to create a bloom filter for firstname or last names, respectively. Processing logic can apply some or allof the bloom filters to the column data to determine a probability thatthe column data could be in this semantic category. For example, and inone embodiment, if there are bloom filters for first name, last name,and city, processing logic can apply each of these bloom filters to thecolumn data to determine a probability that the column data is firstname, last name, and/or city data. In one embodiment, processing logicdetermines a probability for a semantic category by determining thenumber of cells in the column that match a semantic category divided bythe total number of cells that have data. In this embodiment, a columnmay be sparse, where not every cell in the column has data. Thus,processing logic would use the total number of cells in the column withdata. For example, and in one embodiment, if a column of data had 100cells, 50 with data, and 45 matched the semantic category of “name”, theprobability of a match for this semantic category would be 0.9.

In a further embodiment, there can be bloom filters for whitelistsand/or blacklists of data. For example, and in one embodiment, awhitelist bloom filter can be populated content that possibilities forthat semantic category (e.g., addresses bloom filter can have awhitelist with entries of “Washington” and “street”) and a blacklistbloom filter that can be populated with content is not associated withthat semantic category (e.g., a blacklist for a name bloom filter canhave an entry of “street”). If there is a whitelist and blacklist bloomfilter, then processing logic can determine a match for the bloom filterif the match is in the whitelist bloom filter and not the blacklistbloom filter or, alternatively, if the match is in both the whitelistbloom filter and the blacklist bloom filter. In one embodiment, therecan be a blacklist and/or whitelist bloom filter for different semanticcategories. In a further embodiment, a user can create their own bloomfilters from an entire column or from values that are not identified.

Alternatively, processing logic can employ different checks to determineother types of semantic categories. In one embodiment, there are customvalidators, which can be one or more rules of code, for semanticcategories that can be checked by algorithmic rules. For example, and inone embodiment, a validator for Internet Protocol (IP) address can beone that checks the standard format rules for a 32-bit or 128-bit IPaddresses. Similarly, there can be validators for other data types thatfollow strict formatting rules (e.g., (latitude, longitude), UniformResource Locator (URL), credit card numbers, email addresses, UnitedStates zip codes, and/or other data types with strict formatting rules).In another embodiment, processing logic can determine semanticcategories using other types of checks, such as a lookup table, ranges,ranges/pattern, and other types. In one embodiment, a lookup table canbe used for data with a relatively small spread (e.g., US states). Inaddition, ranges or range/patterns can be applied to determine semanticcategories for other data types (e.g., data of birth, age, gender,and/or other types). In one embodiment, processing logic determines aprobability for a semantic category by determining the number of cellsin the column that match the semantic category divided by the totalnumber of cells in the column that have a data value as described above.

At step 510, processing logic generates candidate semantic categoriesfor the column. In one embodiment, processing logic gathers thecandidate semantic categories computed from step 508 above. Processinglogic generates a threshold at step 512. In one embodiment, a thresholdfor a column can be manually assigned. In another embodiment, thethreshold for a column can be inferred using a machine learning model(e.g., a random forest machine learning model). The machine learningmodel is further described below. In this embodiment, processing logicuses a trained machine learning model to determine the column semanticcategory as described below.

At step 514, processing logic selects a column semantic category fromthe one or more candidate semantic categories using the threshold andthe probabilities of the one or more candidate semantic categories. Inone embodiment, processing logic selects the semantic category with thehighest probability that is above the threshold. It is possible thatprocessing logic does not select any semantic category for a particularcolumn. In another embodiment, processing logic uses a machine learningmodel to determine the column semantic category. In this embodiment,processing logic creates a feature vector from the probabilities fromthe semantic categories check described above. Processing logic inputsthis feature vector into the machine learning model, where the machinelearning model outputs a label that is the column semantic category. Inone embodiment, the trained machine learning model is a random forestmachine learning model where the thresholds for selecting a columnsemantic category are encoded in the trained machine learning model.

In one embodiment, the trained machine learning model is trained using atraining set of columnar training sets that include a variety of datawith assigned semantic categories. In this embodiment, the machinelearning model is iteratively trained using a machine learning algorithm(e.g., a random forest model) with the training sets. Each iteration,the weights in the machine learning model are adjusted such that the useof the machine learning model on the training sets gets closer andcloser to the correct semantic category labels for each of the trainingsets. When the machine learning model determines the correct semanticcategories for the input training set (to within a threshold), themachine learning model is trained.

The processing loop ends at step 516. Processing loop allows for useredits at step 518. In one embodiment, processing loop transmits thecolumn semantic categories to a client, where the client presents thesemantic categories for the data set (e.g., in a browser or other typeof application). In this embodiment, a user can review the semanticcategories for the different columns in the data set. A user may alterthe assignments, where the client sends the semantic categoryalterations to the processing logic. Processing logic receives thesemantic category alternations and finalizes the column assignments atstep 520.

As described above, one use of the semantic category assignments is touse these assignments for anonymizing the data in the data set. In oneembodiment, a cloud computing platform can anonymize the data in thedata set by creating an anonymized view of the data. In this embodiment,by creating the anonymized view, the underlying data is not transformed,so the data is preserved and can be used for a different anonymizationor for other purposes. The anonymized view allows a user to use the datawithout revealing identifiable data. FIG. 6 is a flow diagram of oneembodiment of a method 600 to perform an anonymization operation of adata set. In general, the method 600 may be performed by processinglogic that may include hardware (e.g., processing device, circuitry,dedicated logic, programmable logic, microcode, hardware of a device,integrated circuit, etc.), software (e.g., instructions run or executedon a processing device), or a combination thereof. For example, theprocessing logic may be implemented as the query processing 130. Method600 may begin at step 602, where the processing logic retrieves the dataset and the classification of the data set. In one embodiment, theclassification includes the semantic category and privacy categoryassignments for each of the columns of data in the dataset.

At step 604, processing logic retrieves the data hierarchies for thesemantic categories that are identified with a privacy category ofquasi-identifier. In one embodiment, a data hierarchy is a hierarchythat relates more specific data to less specific data. An example of adata hierarchy is shown in FIG. 9 below. Processing loop anonymizes thedata in the data set using the data hierarchies and the classification.In one embodiment, processing loop suppresses the data for each columnthat has a privacy category of identifier. In this embodiment, each datathat is an identifier can be used to uniquely identify an individual.Semantic categories with a privacy category of an identifier can be name(either first, last, full, and/or some variation on name), credit card,payment card, IP address, phone number, Social Security Number (or someother government identifying number), email address, passport number,vehicle identification number, International Mobile Equipment Identity,and/or another type of identifier.

In addition, processing logic suppresses the data for each column thathas a privacy category of sensitive. In one embodiment, a semanticcategory of sensitive is for data that individuals do not ordinarilydisclose in a general manner. This can be used for medically orfinancially sensitive data, such blood pressure, height, weight, salary,and/or other sensitive data. In one embodiment, suppressing data meansthat the data to be suppressed is not revealed in the anonymizing viewfor the data set.

In a further embodiment, processing logic anonymizes the data with aprivacy category of quasi-identifier. Anonymization is the “process bywhich personal data is irreversibly altered in such a way that a datasubject can no longer be identified directly or indirectly, either bythe data controller alone or in collaboration with any other party”.Risk based anonymization (or de-identification) is based on reducing therisk of re-identification while maximizing data utility.Re-identification is the process by which anonymized data is matchedwith its true owner. For example, a researcher was able to link aneasily purchased voter registration list with “anonymized” hospitaldata. The hospital data had only removed the names of the patients buttheir date of birth, gender and zip code were still in the data. Theresearcher showed that these three attributes were enough to re-identify87% of the US population.

One way to anonymize data is called k-Anonymity. k-Anonymity modifiesdirect-identifiers and indirect- or quasi-identifiers such that eachindividual record has at least k−1 other records in common with matchingquasi-identifiers. The groups of records with matching quasi-identifiersare known as equivalence classes. Transformation of the data fullyredacts direct identifiers while quasi-identifiers are generalized orsuppressed to satisfy the k constraint while minimizing informationloss. This is an NP-hard problem largely because the search space growsexponentially in the number of quasi-identifiers and the objectives areneither convex nor continuous. In one embodiment, processing logicanonymizes the data in the anonymizing view by applying a k-anonymityalgorithm such that the quasi-identifiable data is generalized tosatisfy the k constraint.

In one embodiment, processing logic can generalize quasi-identifier databy using a data hierarchy, applying a rule, mapping the data to a rangeor pattern, and/or other type of transformation. In this embodiment,applying a rule can be used for formatted data, such as deleting therightmost digit(s) from a zip code or IP address. In addition, mappingthe data to range can be done for an age data which maps a specific ageto a range of ages. At step 608, processing logic generates ananonymized view for the data set using the anonymizing data determinedabove.

FIG. 7 is a schematic block diagram of one embodiment of an anonymizingoperation 700 on an input table. In FIG. 7 , the input table 702includes columns for name 708A, gender 708B, age 708C, zip code 708D,and stay 708E. In one embodiment, the classifier identifies the columnsfor name 708A as an identifier, columns age 708C and zip 708D asquasi-identifiable, and the columns gender 708B and stay 708E as other(e.g., not identifier, quasi-identifier, or sensitive). The anonymizingoperation performs two different operations to anonymize the data:generalization and suppression (704). Generalization generalizes thedata using a k-anonymity operation (or other anonymizing scheme) using adata hierarchy or another type of operation. Suppression prevents thedata from being viewed. In FIG. 7 , suppression is applied to the namecolumn, resulting in no data being visible in name column 710A of outputview 706. Column 710B-D (age and zip code) are generalized. For example,and in one embodiment, the age data is converted from a specific age toan age range in column 710C and the zip code data is generalized byremoving the last three digits of the zip code. Because the gender andstay columns are classified as other, this data is generally nottransformed.

In one embodiment, if a row includes data that cannot be generalizedinto a group, then that row is suppressed. For example, and in oneembodiment, the row with the name of Travis Ortega has an age of 70 thatis outside of the age range of 55-56 and there is only one person in oraround age of 70. Because there is only one person in this age group,this row is suppressed in the output table 706 (except for the data inthe stay column 710E).

FIG. 8 is a schematic block diagram of one embodiment of creating 800 ananonymizing view 808 for an input table. In FIG. 8 , the base table 802and data hierarchies 804 are fed into the Equivalent Class (EC) Sizes806.In one embodiment, when a k-anonymous algorithm is applied to a dataset, k is the minimum anonymous class size for the quasi-identifierdata. If data is anonymized to smaller than the k class size, then thedata is suppressed (as shown in FIG. 7 above). This will generate theanonymized view 806.

FIG. 9 is a schematic block diagram of one embodiment of an educationaldata hierarchy 900. In one embodiment, a data hierarchy is a hierarchythat relates more specific data to less specific data. In FIG. 9 , thedata hierarchy 900 is an educational data hierarchy that relatesspecific education levels to a more general education level. Datahierarchy 900 includes three levels in the hierarchy, starting with theroot node 902 that has a value of NULL. The next level includes nodes904A-C that represent a broad level of education groups, such as highereducation 904A, secondary education 904B, and primary education 904C.Each of the nodes 904A-C is a child of the root node 902. In addition,each of the nodes 904A-C includes one or more children nodes thatrepresent a more specific type of education. For example, and in oneembodiment, the higher education node 904A has children nodes forgraduate 906A, undergraduate 906B, and professional education 906C. Inthis example, graduate 906A, undergraduate 906B, and professionaleducation 906C each represent a more specific type of higher education.Furthermore, the secondary node 904B has child node high school 906D,which represents a more specific type of secondary education. Inaddition, the primary education node 904C has a child node for primaryschool 906E, which represents a more specific type of primary education.

In one embodiment, the data hierarchy 900 can be used to anonymize thedata that is related to educational level. For example, and in oneembodiment, a column that includes college level education can beanonymized by replacing a specific college level education level to“higher education.”

FIG. 10 is a block diagram of an example computing device 1000 that mayperform one or more of the operations described herein, in accordancewith some embodiments. Computing device 1000 may be connected to othercomputing devices in a LAN, an intranet, an extranet, and/or theInternet. The computing device may operate in the capacity of a servermachine in client-server network environment or in the capacity of aclient in a peer-to-peer network environment. The computing device maybe provided by a personal computer (PC), a set-top box (STB), a server,a network router, switch or bridge, or any machine capable of executinga set of instructions (sequential or otherwise) that specify actions tobe taken by that machine. Further, while only a single computing deviceis illustrated, the term “computing device” shall also be taken toinclude any collection of computing devices that individually or jointlyexecute a set (or multiple sets) of instructions to perform the methodsdiscussed herein.

The example computing device 1000 may include a processing device (e.g.,a general purpose processor, a PLD, etc.) 1002, a main memory 1004(e.g., synchronous dynamic random access memory (DRAM), read-only memory(ROM)), a static memory 1006 (e.g., flash memory and a data storagedevice 1010), which may communicate with each other via a bus 1030.

Processing device 1002 may be provided by one or more general-purposeprocessing devices such as a microprocessor, central processing unit, orthe like. In an illustrative example, processing device 1002 maycomprise a complex instruction set computing (CISC) microprocessor,reduced instruction set computing (RISC) microprocessor, very longinstruction word (VLIW) microprocessor, or a processor implementingother instruction sets or processors implementing a combination ofinstruction sets. Processing device 1002 may also comprise one or morespecial-purpose processing devices such as an application specificintegrated circuit (ASIC), a field programmable gate array (FPGA), adigital signal processor (DSP), network processor, or the like. Theprocessing device 1002 may be configured to execute the operationsdescribed herein, in accordance with one or more aspects of the presentdisclosure, for performing the operations and steps discussed herein. Inone embodiment, processing device 1002 represents cloud computingplatform 110 of FIG. 1 . In another embodiment, processing device 1002represents a processing device of a client device (e.g., client devices101-104).

Computing device 1000 may further include a network interface device1008 which may communicate with a network 1020. The computing device1000 also may include a video display unit 1010 (e.g., a liquid crystaldisplay (LCD) or a cathode ray tube (CRT)), an alphanumeric input device1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse)and an acoustic signal generation device 1016 (e.g., a speaker). In oneembodiment, video display unit 1010, alphanumeric input device 1012, andcursor control device 1014 may be combined into a single component ordevice (e.g., an LCD touch screen).

Data storage device 10010 may include a computer-readable storage medium1028 on which may be stored one or more sets of instructions, e.g.,instructions for carrying out the operations described herein, inaccordance with one or more aspects of the present disclosure.Classification instructions 1026 may also reside, completely or at leastpartially, within main memory 1004 and/or within processing device 1002during execution thereof by computing device 1000, main memory 1004 andprocessing device 1002 also constituting computer-readable media. Theinstructions may further be transmitted or received over a network 1020via network interface device 1008.

While computer-readable storage medium 1028 is shown in an illustrativeexample to be a single medium, the term “computer-readable storagemedium” should be taken to include a single medium or multiple media(e.g., a centralized or distributed database and/or associated cachesand servers) that store the one or more sets of instructions. The term“computer-readable storage medium” shall also be taken to include anymedium that is capable of storing, encoding or carrying a set ofinstructions for execution by the machine and that cause the machine toperform the methods described herein. The term “computer-readablestorage medium” shall accordingly be taken to include, but not belimited to, solid-state memories, optical media and magnetic media.

Unless specifically stated otherwise, terms such as “retrieving,”“generating,” “selecting,” “determining,” “anonymizing,” “computing,”“applying,” “adjusting,” or the like, refer to actions and processesperformed or implemented by computing devices that manipulates andtransforms data represented as physical (electronic) quantities withinthe computing device's registers and memories into other data similarlyrepresented as physical quantities within the computing device memoriesor registers or other such information storage, transmission or displaydevices. Also, the terms “first,” “second,” “third,” “fourth,” etc., asused herein are meant as labels to distinguish among different elementsand may not necessarily have an ordinal meaning according to theirnumerical designation.

Examples described herein also relate to an apparatus for performing theoperations described herein. This apparatus may be specially constructedfor the required purposes, or it may comprise a general purposecomputing device selectively programmed by a computer program stored inthe computing device. Such a computer program may be stored in acomputer-readable non-transitory storage medium.

The methods and illustrative examples described herein are notinherently related to any particular computer or other apparatus.Various general purpose systems may be used in accordance with theteachings described herein, or it may prove convenient to construct morespecialized apparatus to perform the required method steps. The requiredstructure for a variety of these systems will appear as set forth in thedescription above.

The above description is intended to be illustrative, and notrestrictive. Although the present disclosure has been described withreferences to specific illustrative examples, it will be recognized thatthe present disclosure is not limited to the examples described. Thescope of the disclosure should be determined with reference to thefollowing claims, along with the full scope of equivalents to which theclaims are entitled.

As used herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”,“comprising”, “includes”, and/or “including”, when used herein, specifythe presence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof. Therefore, the terminology usedherein is for the purpose of describing particular embodiments only andis not intended to be limiting.

It should also be noted that in some alternative implementations, thefunctions/acts noted may occur out of the order noted in the figures.For example, two figures shown in succession may in fact be executedsubstantially concurrently or may sometimes be executed in the reverseorder, depending upon the functionality/acts involved.

Although the method operations were described in a specific order, itshould be understood that other operations may be performed in betweendescribed operations, described operations may be adjusted so that theyoccur at slightly different times or the described operations may bedistributed in a system which allows the occurrence of the processingoperations at various intervals associated with the processing.

Various units, circuits, or other components may be described or claimedas “configured to” or “configurable to” perform a task or tasks. In suchcontexts, the phrase “configured to” or “configurable to” is used toconnote structure by indicating that the units/circuits/componentsinclude structure (e.g., circuitry) that performs the task or tasksduring operation. As such, the unit/circuit/component can be said to beconfigured to perform the task, or configurable to perform the task,even when the specified unit/circuit/component is not currentlyoperational (e.g., is not on). The units/circuits/components used withthe “configured to” or “configurable to” language include hardware—forexample, circuits, memory storing program instructions executable toimplement the operation, etc. Reciting that a unit/circuit/component is“configured to” perform one or more tasks, or is “configurable to”perform one or more tasks, is expressly intended not to invoke 35 U.S.C.112, sixth paragraph, for that unit/circuit/component. Additionally,“configured to” or “configurable to” can include generic structure(e.g., generic circuitry) that is manipulated by software and/orfirmware (e.g., an FPGA or a general-purpose processor executingsoftware) to operate in manner that is capable of performing the task(s)at issue. “Configured to” may also include adapting a manufacturingprocess (e.g., a semiconductor fabrication facility) to fabricatedevices (e.g., integrated circuits) that are adapted to implement orperform one or more tasks. “Configurable to” is expressly intended notto apply to blank media, an unprogrammed processor or unprogrammedgeneric computer, or an unprogrammed programmable logic device,programmable gate array, or other unprogrammed device, unlessaccompanied by programmed media that confers the ability to theunprogrammed device to be configured to perform the disclosedfunction(s).

Any combination of one or more computer-usable or computer-readablemedia may be utilized. For example, a computer-readable medium mayinclude one or more of a portable computer diskette, a hard disk, arandom access memory (RAM) device, a read-only memory (ROM) device, anerasable programmable read-only memory (EPROM or Flash memory) device, aportable compact disc read-only memory (CDROM), an optical storagedevice, and a magnetic storage device. Computer program code forcarrying out operations of the present disclosure may be written in anycombination of one or more programming languages. Such code may becompiled from source code to computer-readable assembly language ormachine code suitable for the device or computer on which the code willbe executed.

Embodiments may also be implemented in cloud computing environments. Inthis description and the following claims, “cloud computing” may bedefined as a model for enabling ubiquitous, convenient, on-demandnetwork access to a shared pool of configurable computing resources(e.g., networks, servers, storage, applications, and services) that canbe rapidly provisioned (including via virtualization) and released withminimal management effort or service provider interaction and thenscaled accordingly. A cloud model can be composed of variouscharacteristics (e.g., on-demand self-service, broad network access,resource pooling, rapid elasticity, and measured service), servicemodels (e.g., Software as a Service (“SaaS”), Platform as a Service(“PaaS”), and Infrastructure as a Service (“IaaS”)), and deploymentmodels (e.g., private cloud, community cloud, public cloud, and hybridcloud). The flow diagrams and block diagrams in the attached figuresillustrate the architecture, functionality, and operation of possibleimplementations of systems, methods, and computer program productsaccording to various embodiments of the present disclosure. In thisregard, each block in the flow diagrams or block diagrams may representa module, segment, or portion of code, which comprises one or moreexecutable instructions for implementing the specified logicalfunction(s). It will also be noted that each block of the block diagramsor flow diagrams, and combinations of blocks in the block diagrams orflow diagrams, may be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions. These computerprogram instructions may also be stored in a computer-readable mediumthat can direct a computer or other programmable data processingapparatus to function in a particular manner, such that the instructionsstored in the computer-readable medium produce an article of manufactureincluding instruction means which implement the function/act specifiedin the flow diagram and/or block diagram block or blocks.

The foregoing description, for the purpose of explanation, has beendescribed with reference to specific embodiments. However, theillustrative discussions above are not intended to be exhaustive or tolimit the invention to the precise forms disclosed. Many modificationsand variations are possible in view of the above teachings. Theembodiments were chosen and described in order to best explain theprinciples of the embodiments and its practical applications, to therebyenable others skilled in the art to best utilize the embodiments andvarious modifications as may be suited to the particular usecontemplated. Accordingly, the present embodiments are to be consideredas illustrative and not restrictive, and the invention is not to belimited to the details given herein, but may be modified within thescope and equivalents of the appended claims.

What is claimed is:
 1. A method comprising: retrieving data from a dataset, wherein the data is organized in a plurality of columns; and foreach column in the plurality of columns: generating one or morecandidate semantic categories for the column, wherein each of the one ormore candidate semantic categories has a corresponding probability;creating a feature vector for the column from the one or more candidatesemantic categories and the corresponding probabilities; determining asemantic category type of the column based on the feature vector; andanonymizing the data in the column based on the semantic category type,wherein the anonymizing comprises replacing more specific data in thecolumn with less specific data based on a data hierarchy that relatesthe more specific data to the less specific data.
 2. The method of claim1, wherein the data hierarchy comprises a lower level and a higherlevel, the method further comprising: matching the data from the columnwith a lower level location in the lower level of the data hierarchy;and identifying the less specific data in the higher level at a higherlevel location that relates to the lower level location.
 3. The methodof claim 1, further comprising: determining that the semantic categorytype is an identifier semantic type or a quasi-identifier type; andperforming the anonymizing of the data in response to determining thatthe semantic category type is the identifier semantic type or thequasi-identifier type.
 4. The method of claim 1, further comprising:inputting the feature vector into a trained machine learning model,wherein the trained machine learning model comprises an encodedthreshold and identifies one of the one or more candidate semanticcategories having a corresponding probability above the encodedthreshold; and assigning the column semantic category identified by thetrained machine learning model to the column.
 5. The method of claim 1,further comprising: anonymizing the data, for each of the plurality ofcolumns on an individual basis, based on the semantic category type ofthe corresponding column.
 6. The method of claim 1, further comprising:generating the probability for each of the one or more candidatesemantic categories, the generating further comprising: selecting acolumn from the plurality of columns; applying a bloom filter with apotential semantic category to the data of that column; and computingthe probability for the column selected based on a set of results fromthe applying of the bloom filter to the data in the column.
 7. Themethod of claim 6, wherein the bloom filter is selected from the groupconsisting of a whitelist bloom filter and a blacklist bloom filter. 8.A system comprising: a set of storage resources; a query processor to:retrieve data from a data set, wherein the data is organized in aplurality of columns; and for each column in the plurality of columns:generate, with the query processor, one or more candidate semanticcategories for the column, wherein each of the one or more candidatesemantic categories has a corresponding probability; create a featurevector for the column from the one or more candidate semantic categoriesand the corresponding probabilities; determine a semantic category typeof the column based on the feature vector; and anonymize the data in thecolumn based on the semantic category type, wherein the anonymizationcomprises replacing more specific data in the column with less specificdata based on a data hierarchy that relates the more specific data tothe less specific data.
 9. The system of claim 8, wherein the datahierarchy comprises a lower level and a higher level, and wherein thequery processor further to: match the data from the column with a lowerlevel location in the lower level of the data hierarchy; and identifythe less specific data in the higher level at a higher level locationthat relates to the lower level location.
 10. The system of claim 8,wherein the query processor further to: determine that the semanticcategory type is an identifier semantic type or a quasi-identifier type;and perform the anonymization of the data in response to thedetermination that the semantic category type is the identifier semantictype or the quasi-identifier type.
 11. The system of claim 8, whereinthe query processor further to: input the feature vector into a trainedmachine learning model, wherein the trained machine learning modelcomprises an encoded threshold and identifies one of the one or morecandidate semantic categories having a corresponding probability abovethe encoded threshold; and assign the column semantic categoryidentified by the trained machine learning model to the column.
 12. Thesystem of claim 8, wherein the query processor further to: anonymize thedata, for each of the plurality of columns on an individual basis, basedon the semantic category type of the corresponding column.
 13. Thesystem of claim 8, wherein the query processor further to: select acolumn from the plurality of columns; apply a bloom filter with apotential semantic category to the data of that column; and compute theprobability for the column selected based on a set of results from theapplying of the bloom filter to the data in the column.
 14. The systemof claim 13, wherein the bloom filter is selected from the groupconsisting of a whitelist bloom filter and a blacklist bloom filter. 15.A non-transitory machine-readable medium storing instructions which,when executed by one or more processors of a computing device, cause theone or more processors to: retrieve data from a data set, wherein thedata is organized in a plurality of columns; and for each column in theplurality of columns: generate, with the one or more processors, one ormore candidate semantic categories for the column, wherein each of theone or more candidate semantic categories has a correspondingprobability; create a feature vector for the column from the one or morecandidate semantic categories and the corresponding probabilities;determine a semantic category type of the column based on the featurevector; and anonymize the data in the column based on the semanticcategory type, wherein the anonymization comprises replacing morespecific data in the column with less specific data based on a datahierarchy that relates the more specific data to the less specific data.16. The non-transitory machine-readable medium of claim 15, wherein thedata hierarchy comprises a lower level and a higher level, and whereinthe instructions further cause the one or more processors to: match thedata from the column with a lower level location in the lower level ofthe data hierarchy; and identify the less specific data in the higherlevel at a higher level location that relates to the lower levellocation.
 17. The non-transitory machine-readable medium of claim 15,wherein the instructions further cause the one or more processors to:determine that the semantic category type is an identifier semantic typeor a quasi-identifier type; and perform the anonymization of the data inresponse to the determination that the semantic category type is theidentifier semantic type or the quasi-identifier type.
 18. Thenon-transitory machine-readable medium of claim 15, wherein theinstructions further cause the one or more processors to: input thefeature vector into a trained machine learning model, wherein thetrained machine learning model comprises an encoded threshold andidentifies one of the one or more candidate semantic categories having acorresponding probability above the encoded threshold; and assign thecolumn semantic category identified by the trained machine learningmodel to the column.
 19. The non-transitory machine-readable medium ofclaim 15, wherein the instructions further cause the one or moreprocessors to: anonymize the data, for each of the plurality of columnson an individual basis, based on the semantic category type of thecorresponding column.
 20. The non-transitory machine-readable medium ofclaim 15, wherein the instructions further cause the one or moreprocessors to: select a column from the plurality of columns; apply abloom filter with a potential semantic category to the data of thatcolumn; and compute the probability for the column selected based on aset of results from the applying of the bloom filter to the data in thecolumn.